Movatterモバイル変換

[0]ホーム
URL:

US8064597B2 - Method and system for mobile device credentialing - Google Patents

Method and system for mobile device credentialingDownload PDF

Info

Publication number
US8064597B2
US8064597B2US11/948,352US94835207AUS8064597B2US 8064597 B2US8064597 B2US 8064597B2US 94835207 AUS94835207 AUS 94835207AUS 8064597 B2US8064597 B2US 8064597B2
Authority
US
United States
Prior art keywords
mobile device
server
credential
mobile
preliminary
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11/948,352
Other versions
US20080260149A1 (en
Inventor
Christian M Gehrmann
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson ABfiledCriticalTelefonaktiebolaget LM Ericsson AB
Priority to US11/948,352priorityCriticalpatent/US8064597B2/en
Assigned to TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)reassignmentTELEFONAKTIEBOLAGET LM ERICSSON (PUBL)ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: GEHRMANN, CHRISTIAN
Priority to TW097110629Aprioritypatent/TWI437867B/en
Priority to JP2010503453Aprioritypatent/JP5074578B2/en
Priority to CN2008800169239Aprioritypatent/CN101690287B/en
Priority to EP08735870Aprioritypatent/EP2140717B1/en
Priority to AT08735870Tprioritypatent/ATE519340T1/en
Priority to PCT/EP2008/054136prioritypatent/WO2008128873A1/en
Priority to CA2684657Aprioritypatent/CA2684657C/en
Publication of US20080260149A1publicationCriticalpatent/US20080260149A1/en
Publication of US8064597B2publicationCriticalpatent/US8064597B2/en
Application grantedgrantedCritical
Activelegal-statusCriticalCurrent
Adjusted expirationlegal-statusCritical

Links

Images

Classifications

Definitions

Landscapes

Abstract

Methods and systems taught herein allow mobile device manufacturers to preconfigure mobile devices for subscription with any network operator having access to a centralized device directory server. The directory server stores device records, each including a preliminary subscription identity. Manufacturers individually provision new mobile devices with these preliminary subscription identities, and network operators preliminarily register subscribers by submitting requests to the directory server that cause it to link individual device records with the appropriate credential server addresses. Mobile devices gain temporary network access by submitting their preliminary subscription identities, which get passed along to the directory server for verification. In turn, the directory server generates authentication vectors giving the mobile devices temporary network access, and returns the appropriate credential server addresses. The mobile devices use the address information to submit secure requests for permanent subscription credentials, and the involved credential servers securely return permanent subscription credentials responsive to valid requests.

Description

RELATED APPLICATIONS
This application claims priority under 35 U.S.C. §119(e) from the U.S. Provisional Patent Application Ser. No. 60/913,090, which was filed on 20 Apr. 2007 and entitled “OTA Soft SIM Credential Provisioning.”
BACKGROUND
1. Technical Field
The present invention generally relates to provisioning mobile devices, and particularly relates to facilitating over-the-air activation of mobile devices through the use of preliminary subscription identity information maintained in a centralized device directory that is accessible by one or more network operators.
2. Background
Efficient equipment manufacture, distribution, and activation are key enablers for effectively exploiting the range of business opportunities provided by the continuing revolution in wireless communications. The existing approaches to “provisioning” user equipment with the necessary subscription credentials represent one impediment to more efficient operations.
For example, one conventional approach relies on selling or otherwise distributing user equipment with installed Subscriber Identity Modules, SIMs. Each SIM comprises a tamper-resistant circuit module, commonly embodied in a small, card-like form factor, where the circuit module stores credential information for a specific network operator. In other words, the user equipment is tied to a particular network operator by virtue of the preprogrammed SIM, and the subscriber calls or otherwise contacts the network operator to provide billing information, etc. In response, the network operator marks that SIM as active in one or more subscriber databases, thereby making the user equipment operational.
Other approaches to automating the provisioning process, at least partially, have been proposed. Examples include U.S. Publication 2005/0079863 to Macaluso, which discloses a form of over-the-air provisioning (commonly noted as “OTA” provisioning in the relevant literature); U.S. Publication 2007/0099599 to Smith, which discusses dynamic provisioning of wireless services and initial provisioning via access to an internet database; U.S. Pat. No. 6,980,660 to Hind, which discloses methods for initializing wireless communication devices using an enterprise database; and U.S. Pat. No. 6,490,445 to Holmes, which discloses the use of temporary access information in wireless equipment, to allow a form of restricted network access for over-the-air provisioning.
As a general proposition, however, it seems that the complexity of the overall problem framework has prevented the past approaches from providing an overall system and method that simplifies manufacturing, sales, and, ultimately, registration of mobile devices with regard to secure over-the-air provisioning.
SUMMARY
Methods and systems taught herein allow mobile device manufacturers to pre-configure mobile devices for subscription with any network operator having access to a centralized device directory server. In at least one embodiment, mobile devices are provisioned with temporary device identifiers, which are also held in a centralized device directory server that is accessible to any number of network operators. Advantageously, a mobile station can be granted temporary access through any participating network, and that access thus is used to obtain permanent subscription credentials, via cooperation with a credential server associated with the network operator that will issue the permanent subscription credentials.
Accordingly, a method of facilitating over-the-air mobile communication device activation comprises, at a centralized device directory server, storing a device record that comprises preliminary subscription credential information for a mobile device, and sending at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device. The initial provisioning party may be, for example, a mobile device manufacturer. The method continues with receiving a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly linking network address information of the credential server to the device record.
The method continues with receiving a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information. In response to the validation request, the directory server sends an authentication vector based on a secret key included in the preliminary subscription credential information to the authentication server, if the preliminary subscription credential information for the mobile device is valid. The method also includes the directory server subsequently receiving a credential server address request from the mobile device, and sending network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.
In another embodiment, a system for facilitating over-the-air mobile communication device activation includes a centralized device directory server. The directory server in this embodiment comprises one or more processing circuits configured to store a device record that comprises preliminary subscription credential information for a mobile device, and to send at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device. The directory server is further configured to receive a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly link network address information of the credential server to the corresponding device record.
Continuing, the directory server is configured to receive a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information, and to send an authentication vector based on a secret key included in the preliminary subscription credential information to the authentication server, if the preliminary subscription credential information for the mobile device is valid. Still further, the directory server is configured to receive a credential server address request from the mobile device, subsequent to the mobile device gaining temporary access to the wireless communication network via the authentication vector, and to correspondingly send network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.
In one or more of the above embodiments, the preliminary subscription credential information, also referred to as preliminary subscription identities, comprise pairings of secret keys and Preliminary International Mobile Subscriber Identities, abbreviated as PIMSIs. Thus, the device directory stores, for example, a batch of PIMSI and secret key pairs, and device manufacturers provision individual, mobile devices with individual PIMSI and secret key pairs.
Of course, the present invention is not limited to the above features and advantages. Indeed, those skilled in the art will recognize additional features and advantages upon reading the following detailed description, and upon viewing the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of one embodiment of at least part of a system for facilitating over-the-air provisioning of mobile devices, including a centralized device directory server that provides preliminary subscription credential information to initial provisioning servers associated with, for example, device manufacturers.
FIG. 2 is a block diagram of one embodiment of a “device record” data element or structure, which includes a temporary device identifier and a secret key.
FIG. 3 is a block diagram of one embodiment of a mobile device.
FIG. 4 is a logic flow diagram of one embodiment of processing logic that may be implemented at a centralized device directory server, for generating and distributing preliminary subscription identities for use in initially provisioning mobile devices.
FIG. 5 is a logic flow diagram of one embodiment of processing logic that may be implemented at an initial provisioning server, for use in initially provisioning mobile devices based on information received or otherwise associated with preliminary subscription credential information stored in a centralized device directory server.
FIG. 6 is a block diagram of one embodiment of one or more credential servers that are communicatively coupled to a centralized device directory server, and are associated with one or more network operators.
FIG. 7 is a logic flow diagram of processing logic that may be implemented at a credential server, for causing a centralized device directory server to associate particular preliminary subscription credential information held by the centralized device directory server for particular mobile devices to the credential server.
FIG. 8 is a block diagram illustrating one embodiment of an overall system for facilitating over-the-air provisioning of a mobile device, including a centralized device directory server.
DETAILED DESCRIPTION
FIG. 1 illustrates one embodiment of a centralized device directory server10 (“directory server10”), as contemplated herein for facilitating over-the-air activation of mobile devices. The term “mobile device” should be construed broadly herein. By way of non-limiting example, the term encompasses cellular radiotelephones and other types of wireless mobile stations, and encompasses network access cards, and other wireless communication modules. Similarly, the term “activation” should be construed broadly, and the term at least refers to a method whereby a subscriber conveniently and securely obtains permanent (long-term) subscription credentials from the subscriber's associated network operator via an over-the-air provisioning process, even where the subscriber gains temporary network access through another network operator.
Better appreciating the flexibility and convenience of the activation system and method contemplated herein begins with a more detailed understanding of thedirectory server10, in accordance with the example details illustrated in the figure. It includes or is associated with adata store12, and includes one ormore processing circuits14. Theprocessing circuits14 includecommunication interfaces16 and preliminary subscription processing circuits18 (“subscription processing circuits18”). Theprocessing circuits14 comprise hardware, software, or any combination thereof. For example, theprocessing circuits14 may include one or more microprocessor-based circuits, which are configured to carry out the functions described herein by way of executing stored program instructions. Those instructions may be embodied as a computer program product retained, for example, in a computer-readable medium of thedata store12, or may be held in other memory/storage devices included in or associated with thedirectory server10.
Other information stored at thedirectory server10 includes abatch20 ofdevice records22. Device records22-1 through22-N are illustrated, as an example. As shown inFIG. 2, in at least one embodiment, eachdevice record22 comprises preliminary subscription information for a mobile device. In one embodiment, eachdevice record22 includes atemporary device identifier24 and asecret key26. Also, as will be explained later, eachdevice record22 is linked to (e.g., includes or points to) credential servernetwork address information28. (Further, while not explicitly illustrated in the drawing, thedirectory server10 may store a Public Device Identifier (PDI) in eachdevice record22. In one example, the PDI is obtained using a one-way “hash” function on thetemporary device identifier24.)
According to this basic setup, eachdevice record22 represents temporary subscription credentials for one mobile device. Thedirectory server10 is configured in one or more embodiments to generatebatches20 ofdevice records22, which can then be distributed to any number of parties involved in initially provisioning mobile devices. Typically, device records22 are distributed to one or more mobile device manufacturers. In at least one embodiment herein,different batches20 ofdevice records22 are generated for different manufacturers. For example, assuming that thetemporary device identifier24 is generated as a number, e.g., a Preliminary International Mobile Subscriber Identity (PIMSI), different ranges of numbers may be used for different device manufacturers. Doing so permits network elements involved in later over-the-air activation of a mobile device to determine the device's manufacturer from the range value of thetemporary device identifier24 reported by the mobile device.
Now, referring back toFIG. 1, one sees that thedirectory server10 generates one ormore batches20 ofdevice records22, and distributes the device records22 to an initial provisioning server30 (or other computer system) at each of one or more mobile device manufacturers. Particularly,FIG. 1 illustrates initial provisioning servers30-1 through30-R, associated with differentmobile device manufacturers1 through R. Eachprovisioning server30 receives some number ofdevice records22 from thedevice directory10, and loads all or part of anindividual device record22 into a particular one of themobile devices32 being initially provisioned by it. This loading may be integrated into the manufacturing process.
Preferably, as shown inFIG. 3, eachmobile device32 includes system circuits40 (processsors, user-interface circuits, etc.), communication circuits42 (cellular, WLAN, WiFi, etc.), and a trustedmodule44, such as configured according to ARM® TrustZone®, Mobile Trusted Module (MTM), or Trusted Platform Module (TPM) implementations. In one or more embodiments, the trustedmodule44 includes, for example, asecure processor46,secure memory48, and acryptographic engine50. Other secure processing environments can be used, and the secure architecture details that are illustrated should not be construed as limiting the teachings presented herein.
In any case, aninitial provisioning server30 thus loads into a givenmobile device32, all or part of adevice record22, where thatdevice record22 is also held by thedirectory server10. In this manner, a subscriber's later attempt to activate themobile device32 may be predicated on verifying the device record information as stored in themobile device32 against the corresponding device record information as stored in thedirectory server10.
FIGS. 4 and 5 summarize the above process, wherein, inFIG. 4, thedirectory server10 generates preliminary subscription identities (Block100) (e.g., generates device records22 comprising pairs ofPIMSIs24 and secret keys26). Thedirectory server10 then distributes the preliminary subscription identities to mobile device manufacturers (Block102). That operation may be a “push” from thedirectory server10, or a “pull” from thedirectory server10, with all such transfers subject to appropriate security verification, etc. Communications between thedirectory server10 and theinitial provisioning servers30 may be Internet-based, or based on some other network connectivity.
Regardless, thedirectory server10 generates individual device records22, each including atemporary device identifier24 and a secret key26 (denoted as “Kp”) as a pair. As noted, thetemporary identifier24 may comprise a PIMSI. In at least one embodiment, the PIMSI is equal to the UMTS/GSM IMSI number, such that standard mobile terminal authentication procedures can be used for the PIMSI. Thedirectory server10 thus sends PIMSI/Kppairs toinitial provisioning servers30 as the device records22. For example,multiple device records22 are sent as PIMSI1/Kp1, PIMSI2/Kp2, . . . , and so on. Thedirectory server10 also may send its network address information, or theinitial provisioning server30 may be configured with that information.
FIG. 5 illustrates that theinitial provisioning server30 of a given mobile device manufacturer supports provisioning individualmobile devices32 using the preliminary subscription information received from the directory server10 (Block104). Theinitial provisioning server30 also may load into eachmobile device32 network address information for thedirectory server10, along with a listing of network operators that support use of the preliminary subscription information (Block106). (This listing thus allows themobile device32 later to select an appropriate network operator, assuming multiple network operators provide coverage in the mobile's location, for carrying out over-the-air provisioning of themobile device32 with permanent subscription credentials.)
In more detail, theinitial provisioning server30 may be configured to generate a public/private key pair, denoted as PuK/PrK, using secure processing. In such embodiments, the preliminary subscription information for device record22-xthus would include PuKx, PrKx, Kpx, and the temporary device identifier24 (e.g., PIMSIx). Theinitial provisioning processor30 loads this information in the trustedmodule44 of themobile device32. Theinitial provisioning server30 also loads, as mentioned, a listing of network operators that support use of the preliminary subscription information, e.g., a listing of network operators that will accept the use of PIMSIs for gaining temporary network access. The initial provisioning server also may load network address information for thedirectory server10.
More generally, it should be understood that, in one or more embodiments, the trustedmodule44 of themobile device32 is provisioned with the temporary device identifier24 (e.g., PIMSIx) the secret key Kpx, and the public/private key pair PuKx/ PrKx(for later use in over-the-air activation of the mobile device32), and that all such values may be provided by theinitial provisioning server30, or that one or more of them may be self-generated by themobile device32. For example, in at least one embodiment, themobile device32 is configured to generate the public/private key pair PuKx/PrKx. The provisioning information also generally includes a listing of network operators that support temporary wireless communication network access via use of thetemporary device identifier24, and may optionally include network address information for thedirectory server10.
At some later time, a givenmobile device32 is sold to or otherwise targeted for association with a subscriber of a given network operator. As an example illustration,FIG. 6 depicts three different credential servers60-1,60-2, and60-3, which may represent credentialing elements from three different network operators. The illustratedcredential servers60 are communicatively coupled to thedirectory server10, and are thus able to indicate to thedirectory server10 which ones of the device records22 held by thedirectory server10 are to be associated with or otherwise linked to which ones of thecredential servers60.
FIG. 7 illustrates an example embodiment, wherein the credential server60-xof a given network operator communicates with thedirectory server10, e.g., via an Internet or other network connection. Particularly, the credential server60-xobtains or is otherwise provided with subscriber data (Block110). For example, a sales or other computer system provides the credential server60-xwith subscriber details for particular PDIs, where the PDIs correspond toindividual device records22 in thedirectory server10. The credential server60-xthus may receive subscriber records, where each subscriber record includes details for a particular subscriber, along with a PDI and the address of thedirectory server10 that holds thedevice record22 corresponding to that PDI.
Thus, a PDI corresponding to a particulartemporary device identifier24 is associated with or otherwise linked to data for a particular subscriber at the credential server60-x. This subscription data, which function as subscription credentials, also may include secret subscription values, like a UMTS “master key.” In any case, processing continues with the credential server60-xsending PDI information to the directory server10 (Block112). Receipt of that PDI information causes thedirectory server10 to associate or otherwise link the device records22 corresponding to the received PDI information with the credential server60-x.
Thedirectory server10 therefore is configured to receive a PDI from the credential server60-x, and, in response, to link thedevice record22 corresponding to the PDI with the credential server60-x. As one example, the PDI is a one-way hash of a PIMSI, and thedevice directory10 processes the PDI to obtain the corresponding PIMSI, and then uses the recovered PIMSI to index into one ormore batches20 of storeddevice records22, to identify thedevice record22 that matches the recovered PIMSI.
Once thecorrect device record22 is identified, thedirectory server10 links it to the credential server60-x, e.g., it stores network address information for the credential server60-x in the identifieddevice record22, or causes thatdevice record22 to “point” to the credential server60-x. For each such linked PDI-device record22, the credential server60-x receives a second secret key to the credential server60-x from the directory server10 (Block114). That second secret key is denoted as Ktto indicate its temporary status. Thedirectory server10 derives from the secret key Kpof theinvolved device record22. For example, Kt=F(Kp), where “F” denotes a suitable cryptographically strong one-way function. The credential server60-x stores this temporary key Ktwith the rest of the subscriber data associated with the given PDI.
In the context of the above preliminary subscriber registration, given mobile device manufacturers may send PDIs and corresponding device directory address information directly to network operators. For example, aninitial provisioning server30 or other manufacturer's computer system may be communicatively coupled to thecredential servers60 of one or more network operators. Such communications allow mobile device manufacturers to link particularmobile devices32 to particular network operators prior to any retail sales.
Additionally or alternatively, individualmobile devices32 are shipped to their respective purchasers. The PDIs and device directory associations for thosemobile devices32 are provided to those purchasers, such as in written or electronic form accompanying the mobile devices themselves. Thus, once an end-user buys or otherwise obtains a particularmobile device32, that end-user registers the PDI and device directory information of thatmobile device32 with thecredential server60 belonging to a network operator of choice.
FIG. 8 illustrates one embodiment of this end-user registration as part of an overall methodology contemplated herein. As illustrated atStep1, adirectory server10 provides a PIMSI/secret key pair (PIMSIx/Kpx) to aninitial provisioning server30. The provided data matches adevice record22 stored within thedirectory server10.
AtStep2, theinitial provisioning server30 generates a public/private key pair, PuKx/PrKx, and initially provisions an individual mobile device32-xby loading it with PuKx/PrKx, Kpx, PIMSIx, network address information for thedirectory server10, and a listing of participating network operators. Alternatively, the mobile device32-xself-generates PuKx/PrKx, rather than those values being generated by theinitial provisioning server30.
AtStep3, an end-user or other subscriber associated with the mobile device32-xsubmits subscriber registration data to thecredential server60. As an example, thecredential server60 receives subscriber identity and billing information, along with PDIx, and network address or other identifying information for adirectory server10.
AtStep4, thecredential server60 submits PDIxto thedirectory server10, thereby causing thedirectory server10 to process PDIxand identify the corresponding device record22-x, and link that device record22-xto the submittingcredential server60.
AtStep5, thedirectory server10 returns a temporary secret key, Ktx, to thecredential server60.
AtStep6, the mobile device32-xcontacts awireless communication network70 and provides it with itstemporary device identifier24, e.g., with PIMSIx. More particularly, the mobile device32-xmay be configured to attempt to register with thewireless communication network70 using standard GSM/UMTS registration procedures in which it provides its PIMSIxto thenetwork70 as part of registration. Further, the mobile device32-xmay be configured to determine that thenetwork70 is appropriate for such registration attempts, based on its stored listing of network operators that support use oftemporary device identifiers24 as a basis for gaining long-term subscription credentials via over-the-air provisioning.
Also, as part ofStep6, thenetwork70 passes the PIMSIxobtained from the mobile device32-xto anauthentication server72. Theauthentication server72 may be, for example, a Visitor Location Register (VLR) and/or a Home Location Register (HLR) associated with thenetwork70 or with a home network of a network operator associated with themobile device32.
AtStep7, theauthentication server72 recognizes the PIMSIxas a temporary identifier, and passes the PIMSIxto theappropriate directory server10. In one or more embodiments, theauthentication server72 is configured to determine the network address information for thedirectory server10 from the PIMSIxreceived from the mobile device32-x.
AtStep8, thedirectory server10 finds the correct data record22-xcorresponding to the PIMSIxas received from theauthentication server72. As part of this processing, thedirectory server10 may determine the validity of the PIMSIxby checking whether the PIMSIxis blocked, expired, or has otherwise been used more than an allowed number of times. Thus, if the PIMSIxexists within the batch(es)20 ofdevice records22 stored at thedirectory server10 and is valid, thedirectory server10 calculates a temporary authentication vector for the mobile device32-xand returns the authentication vector to theauthentication server72.
In one or more embodiments, thedevice directory10 is configured to derive the authentication vector using the secret key Kpxstored in the device record22-xfor the mobile device32-x. In this regard, thedevice directory10 can be configured to generate the authentication vector using standardized 3rd Generation Partnership Project (3GPP) procedures, such as the MILENAGE algorithm. Doing so increases interoperability. Regardless,Step8 is shown continuing across theauthentication vector72, indicating that the authentication vector is passed back to thenetwork70.
AtStep9, thenetwork70 uses the authentication vector to grant temporary access, e.g., temporary packet data access, to the mobile device32-x. As one example, the authentication vector is valid for a limited amount of time, e.g., one minute, and/or is valid for a very limited amount of data transfer.
AtStep10, the mobile device32-xuses its temporary access to communicate with thedirectory server10. In this regard, it was noted that network address information for thedirectory server10 can be included as part of the mobile device's initial provisioning information. Thus, the mobile device32-xcan use that stored information to contact theappropriate directory server10 after gaining temporary access. While the diagram appears to show communication directly between the mobile device32-xand thedirectory server10, those skilled in the art will appreciate that the link may be indirect, and, in general, includes an over-the-air connection being supported by thenetwork70 according to the temporary authentication vector. With its communicative link to thedirectory server10, the mobile device32-xrequests that thedirectory server10 provide it with the credential server address information linked at thedirectory server10 to its PIMSIx.
AtStep11, thedirectory server10 returns the credential server address information to the mobile device32-x.
AtStep12, the mobile device32-xgenerates a new temporary key, Ktx. In at least one embodiment, the mobile device32-xderives Ktxfrom its secret key Kpx.
AtStep13, the mobile device32-xsends a credential request to thecredential server60, as identified by the credential server address information returned to the mobile device32-xfrom thedevice directory10. (Again, such communications generally are indirect, with at least one part of the link supported by an over-the-air connection made through thenetwork70.) In one embodiment, this request is protected using the temporary key Ktx, and, possibly, a Message Authentication Code (MAC). In another embodiment, the connection is protected by the temporary key Ktxand a transport security protocol, such as TLS. Regardless, in at least one embodiment, the request includes the mobile device's public key PuKx, and the PDIxcorresponding to the mobile devices's PIMSIx.
AtStep14, thecredential server60 creates permanent (long-term) subscription credentials for themobile device32. For example, if may generate a Soft Subscriber Identity Module (SSIM) or other form of software-based authorization information. Such data may include both SIM credentials and SSIM parameters. SSIM parameters may include SIM algorithms having specific applicability to the network operator associated with thecredential server60.
AtStep15, thecredential server60 encrypts the permanent subscription credentials using the public key of themobile device32, PuKx, and sends them to themobile device32. In another embodiment, the credential server uses the temporary key, Ktx, to encrypt the permanent subscription credentials. Doing so, however, raises a possible security implication because Ktxis derived from the secret key Kpx, which is also held at thedirectory server10.
AtStep16, the mobile device receives the encrypted permanent subscription credentials, decrypts them, and installs them, e.g., within its trustedmodule44. This process may include any needed SIM or other software updating. Regardless, themobile device32 is now provisioned with permanent subscription credentials, giving themobile device32 access to home and visitor wireless communication networks within any limits established by those credentials.
A basic but non-limiting idea that is realized by the above arrangement is that mobile device manufacturers are permitted to initially provisionmobile devices32 in such a way that they can be later activated (permanently provisioned) using over-the-air activation though any number of participating network operators. This arrangement thus allows amobile device32 to gain temporary wireless communication network access using preliminary subscription identity information, and then use that access to obtain the address of and connection to a credential server that will provide it with permanent subscription information. Put simply, a potentially large number of different network operators may agree to participate in the described arrangement, and communicatively link their respective wireless communication networks to the directory server10 (or to any one in a number of different directory servers10).
Thus, a system and method for facilitating over-the-air mobile communication device activation are presented herein. However, it should be understood that the foregoing description and the accompanying drawings represent non-limiting examples of the methods, systems, and individual apparatuses taught herein. As such, the present invention is not limited by the foregoing description and accompanying drawings. Instead, the present invention is limited only by the following claims and their legal equivalents.

Claims (18)

1. A method of facilitating over-the-air mobile communication device activation comprising, at a centralized device directory server:
storing a device record that comprises preliminary subscription credential information for a mobile device;
sending at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device;
receiving a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly linking network address information of the credential server to the device record;
receiving a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information;
sending an authentication vector to the authentication server that is based on a secret key included in the preliminary subscription credential information, if the preliminary subscription credential information for the mobile device is valid;
receiving a credential server address request from the mobile device, subsequent to the mobile device gaining temporary access to the wireless communication network via the authentication vector; and
sending network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.
9. A system for facilitating over-the-air mobile communication device activation including a centralized device directory server that comprises one or more processing circuits configured to:
store a device record that comprises preliminary subscription credential information for a mobile device;
send at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device;
receive a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly link network address information of the credential server to the device record;
receive a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information;
send an authentication vector to the authentication server that is based on a secret key included in the preliminary subscription credential information, if the preliminary subscription credential information for the mobile device is valid; and
receive a credential server address request from the mobile device, subsequent to the mobile device gaining temporary access to the wireless communication network via the authentication vector, and to correspondingly send network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.
US11/948,3522007-04-202007-11-30Method and system for mobile device credentialingActive2030-09-21US8064597B2 (en)

Priority Applications (8)

Application NumberPriority DateFiling DateTitle
US11/948,352US8064597B2 (en)2007-04-202007-11-30Method and system for mobile device credentialing
TW097110629ATWI437867B (en)2007-04-202008-03-25 Method and system for mobile device authentication
EP08735870AEP2140717B1 (en)2007-04-202008-04-07Method and system for mobile device credentialing
CN2008800169239ACN101690287B (en)2007-04-202008-04-07 Method and system for mobile device attestation
JP2010503453AJP5074578B2 (en)2007-04-202008-04-07 Method and system for mobile device credential processing
AT08735870TATE519340T1 (en)2007-04-202008-04-07 METHOD AND SYSTEM FOR MOBILE DEVICE AUTHORIZATION
PCT/EP2008/054136WO2008128873A1 (en)2007-04-202008-04-07Method and system for mobile device credentialing
CA2684657ACA2684657C (en)2007-04-202008-04-07Method and system for mobile device credentialing

Applications Claiming Priority (2)

Application NumberPriority DateFiling DateTitle
US91309007P2007-04-202007-04-20
US11/948,352US8064597B2 (en)2007-04-202007-11-30Method and system for mobile device credentialing

Publications (2)

Publication NumberPublication Date
US20080260149A1 US20080260149A1 (en)2008-10-23
US8064597B2true US8064597B2 (en)2011-11-22

Family

ID=39872203

Family Applications (1)

Application NumberTitlePriority DateFiling Date
US11/948,352Active2030-09-21US8064597B2 (en)2007-04-202007-11-30Method and system for mobile device credentialing

Country Status (9)

CountryLink
US (1)US8064597B2 (en)
EP (1)EP2140717B1 (en)
JP (1)JP5074578B2 (en)
CN (1)CN101690287B (en)
AT (1)ATE519340T1 (en)
CA (1)CA2684657C (en)
ES (1)ES2368683T3 (en)
TW (1)TWI437867B (en)
WO (1)WO2008128873A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US8285993B1 (en)*2006-09-292012-10-09Netapp, Inc.System and method for establishing a shared secret among nodes of a security appliance
US20120260086A1 (en)*2011-04-052012-10-11Haggerty David TApparatus and methods for distributing and storing electronic access clients
US20120278869A1 (en)*2009-10-152012-11-01Interdigital Patent Holdings, Inc.Registration and credential roll-out for accessing a subscription-based service
US9191818B2 (en)2011-06-082015-11-17Giesecke & Devrient GmbhMethods and devices for OTA management of subscriber identity modules
US9203620B1 (en)*2008-01-282015-12-01Emc CorporationSystem, method and apparatus for secure use of cryptographic credentials in mobile devices
US9652320B2 (en)2010-11-052017-05-16Interdigital Patent Holdings, Inc.Device validation, distress indication, and remediation
US9924366B2 (en)2009-03-062018-03-20Interdigital Patent Holdings, Inc.Platform validation and management of wireless devices

Families Citing this family (75)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
EP1538779B1 (en)*2002-10-112020-02-19Panasonic Intellectual Property Corporation of AmericaIdentification information protection method in wlan interconnection
US7356539B2 (en)2005-04-042008-04-08Research In Motion LimitedPolicy proxy
US9307397B2 (en)2005-04-292016-04-05Jasper Technologies, Inc.Method for enabling a wireless device with customer-specific services
US9226151B2 (en)2006-04-042015-12-29Jasper Wireless, Inc.System and method for enabling a wireless device with customer-specific services
US9167471B2 (en)2009-05-072015-10-20Jasper Technologies, Inc.System and method for responding to aggressive behavior associated with wireless devices
GB2452427B (en)*2006-04-142010-12-08Aicent IncFixed mobile roaming service solution
US8935407B2 (en)*2007-05-312015-01-13Alcatel LucentProviding supplemental content to an IMS user during registration
US9332575B2 (en)*2007-06-272016-05-03Telefonaktiebolaget Lm Ericsson (Publ)Method and apparatus for enabling connectivity in a communication network
KR101861607B1 (en)*2008-01-182018-05-29인터디지탈 패튼 홀딩스, 인크Method and apparatus for enabling machine to machine communication
US8407769B2 (en)*2008-02-222013-03-26Telefonaktiebolaget Lm Ericsson (Publ)Methods and apparatus for wireless device registration
US20090239503A1 (en)*2008-03-202009-09-24Bernard SmeetsSystem and Method for Securely Issuing Subscription Credentials to Communication Devices
US8443425B1 (en)*2009-08-142013-05-14Intuit Inc.Remotely authenticating using a mobile device
SE535404C2 (en)*2009-12-092012-07-24Smarttrust Ab Method for automatic provisioning of a SIM card
KR101683883B1 (en)*2009-12-312016-12-08삼성전자주식회사Method and system for supporting security in mobile telecommunication system
EP2355455A1 (en)*2010-02-042011-08-10Gemalto SAMethod for generating a permanent public SIP address associated with a private identity on an IMS network
US8819792B2 (en)2010-04-292014-08-26Blackberry LimitedAssignment and distribution of access credentials to mobile communication devices
CN102986259B (en)*2010-06-282016-06-22高通股份有限公司For customizing data-optimized system and method
CN101925186B (en)*2010-07-192014-07-09华为技术有限公司Method and device for supplying multi-type service to user
WO2012028179A1 (en)2010-08-312012-03-08Telefonaktiebolaget Lm Ericsson (Publ)Downloadable isim
EP2622885B1 (en)*2010-09-292020-06-03Nokia Technologies OyMethods and apparatuses for access credential provisioning
EP2437530B1 (en)2010-10-012019-01-30Giesecke+Devrient Mobile Security GmbHMethod for provisioning of a network access for a mobile communication device
US20120101829A1 (en)*2010-10-222012-04-26International Business Machines CorporationWholesale device registration system, method, and program product
US8555067B2 (en)2010-10-282013-10-08Apple Inc.Methods and apparatus for delivering electronic identification components over a wireless network
US9723481B2 (en)*2010-10-292017-08-01Apple Inc.Access data provisioning apparatus and methods
US9100393B2 (en)*2010-11-042015-08-04Apple Inc.Simulacrum of physical security device and methods
US9020467B2 (en)2010-11-192015-04-28Aicent, Inc.Method of and system for extending the WISPr authentication procedure
US8996879B2 (en)*2010-12-232015-03-31Intel CorporationUser identity attestation in mobile commerce
CN103339974B (en)*2011-01-312016-08-31诺基亚技术有限公司 Subscriber Identity Module Supply
US20120203824A1 (en)*2011-02-072012-08-09Nokia CorporationMethod and apparatus for on-demand client-initiated provisioning
US9161215B2 (en)*2011-02-142015-10-13Telefonaktiebolaget L M Ericsson (Publ)Wireless device, registration server and method for provisioning of wireless devices
EP2503731A1 (en)*2011-03-222012-09-26Alcatel LucentCredentials based method to authenticate a user equipment in a mobile network
ES2568735T3 (en)2011-04-052016-05-04Valid Soluciones Tecnológicas, S.A.U. Procedure and system for remote provisioning of subscriptions
US9716999B2 (en)2011-04-182017-07-25Syniverse Communicationsm, Inc.Method of and system for utilizing a first network authentication result for a second network
US8887257B2 (en)2011-04-262014-11-11David T. HaggertyElectronic access client distribution apparatus and methods
WO2012154600A1 (en)*2011-05-062012-11-15Apple Inc.Methods and apparatus for providing management capabilities for access control clients
EP2815535B1 (en)*2012-02-132018-11-14Schlage Lock Company LLCCredential management system
EP2632196A1 (en)2012-02-242013-08-28Alcatel LucentSmart card initial personnalization
WO2013142615A1 (en)*2012-03-232013-09-26Jasper Wireless, Inc.A system and method for enabling a wireless device with customer-specific services
EP2834748A4 (en)*2012-04-052015-12-09Openpeak IncSystem and method for automatic provisioning of managed devices
GB2504663B (en)*2012-06-292017-08-02Neul LtdSecure Deployment of Communication Devices in a Communications Network
CN103944716B (en)*2013-01-172017-08-25上海贝尔股份有限公司The method and apparatus of user authentication
US9363669B2 (en)*2013-04-122016-06-07Blackberry LimitedMethods and systems for server-initiated activation of device for operation with server
US10034168B1 (en)*2013-04-252018-07-24Sprint Spectrum L.P.Authentication over a first communication link to authorize communications over a second communication link
DE102013108925A1 (en)*2013-08-192015-02-19Deutsche Post Ag Support the use of a secret key
US10700856B2 (en)*2013-11-192020-06-30Network-1 Technologies, Inc.Key derivation for a module using an embedded universal integrated circuit card
CN104938001B (en)*2013-12-102019-04-12华为终端有限公司A kind of register method and interdependent node and Accreditation System
US8949949B1 (en)*2014-02-112015-02-03Level 3 Communications, LlcNetwork element authentication in communication networks
US9942762B2 (en)*2014-03-282018-04-10Qualcomm IncorporatedProvisioning credentials in wireless communications
EP3621332B1 (en)*2014-04-182023-11-01Huawei Technologies Co., Ltd.Method, terminal device, management server and system for distributing data of virtual subscriber identity module
GB2527276B (en)*2014-04-252020-08-05Huawei Tech Co LtdProviding network credentials
CN104469765B (en)2014-07-282020-10-23北京佰才邦技术有限公司Terminal authentication method and apparatus for use in mobile communication system
EP2981113B1 (en)*2014-07-312019-07-03Samsung Electronics Co., LtdMobile communication service between mobile devices sharing same phone number
WO2016093912A2 (en)2014-09-192016-06-16Pcms Holdings, Inc.Systems and methods for secure device provisioning
DE102014014561A1 (en)*2014-09-302016-03-31Giesecke & Devrient Gmbh Method and system for personalizing a security element of a mobile terminal
CN104660416B (en)*2015-02-132018-08-28飞天诚信科技股份有限公司A kind of working method of voice authentication system and equipment
NL2014743B1 (en)*2015-04-302017-01-18Ubiqu B VA first entity, a second entity, an intermediate node, methods for setting up a secure session between a first and second entity, and computer program products.
US11290879B2 (en)2015-07-022022-03-29Telefonaktiebolaget Lm Ericsson (Publ)Method for obtaining initial access to a network, and related wireless devices and network nodes
CN107924434A (en)*2015-08-192018-04-17沈爰仪Talked with only one, registration on demand voucher verifies the system and method for user's access safety network
US10785219B1 (en)*2015-11-162020-09-22EMC IP Holding Company LLCMethods, systems, and computer readable mediums for securely establishing credential data for a computing device
CN106454807B (en)*2016-08-242019-09-10海信集团有限公司 A terminal activation method and mobile terminal
US10142325B2 (en)*2016-08-292018-11-27Ivanti, Inc.Systems and methods for credentials distribution
EP3358867A1 (en)2017-02-032018-08-08Gemalto SaMethod for managing communication between a server and a user equipment
JP2019040484A (en)*2017-08-282019-03-14シャープ株式会社Information transmission device, information transmission system, multifunction device, information transmission method, and information transmission program
US11251955B2 (en)*2017-09-072022-02-15Arris Enterprises LlcSystem and method for simplified wifi set up of client devices
CN109586899B (en)*2017-09-292021-02-09电信科学技术研究院Signaling operation and indication method and device thereof, and computer storage medium
US10826945B1 (en)2019-06-262020-11-03Syniverse Technologies, LlcApparatuses, methods and systems of network connectivity management for secure access
US12126603B2 (en)2019-08-302024-10-22Henry VerheyenSecure data exchange network
EP4022841A4 (en)*2019-08-302023-10-04Thunderport, Inc.Secure data exchange network
US11343139B2 (en)*2020-03-232022-05-24Microsoft Technology Licensing, LlcDevice provisioning using a supplemental cryptographic identity
EP4208798A4 (en)*2020-09-052024-10-09ICU Medical, Inc.Identity-based secure medical device communications
CN116074028B (en)*2021-11-022025-09-19华为技术有限公司Access control method, device and system for encrypted traffic
CN115002748B (en)*2022-06-022024-02-02清华大学 An address configuration method, system and network equipment
US20240080666A1 (en)*2022-09-012024-03-07T-Mobile Innovations LlcWireless communication network authentication for a wireless user device that has a circuitry identifier
CN120202694A (en)*2022-11-222025-06-24株式会社Ntt都科摩 Network node device, communication system and communication method
CN116017444A (en)*2022-11-302023-04-25天翼物联科技有限公司 IoT device login method, device and medium based on quantum key

Citations (34)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5600708A (en)1995-08-041997-02-04Nokia Mobile Phones LimitedOver the air locking of user identity modules for mobile telephones
EP0778716A2 (en)1995-12-061997-06-11AT&T Wireless Services, Inc.Customer activation system for cellular network
EP0820206A2 (en)1996-07-151998-01-21AT&T Wireless Services, Inc.System and method for automatic registration notification for over-the-air activation
US5943425A (en)1996-05-101999-08-24Lucent Technologies, Inc.Re-authentication procedure for over-the-air activation
US5956636A (en)1996-07-161999-09-21At&T Wireless Services Inc.Method and system for automatic activation of a wireless device
US6014561A (en)*1996-05-062000-01-11Ericsson Inc.Method and apparatus for over the air activation of a multiple mode/band radio telephone handset
US6064879A (en)1994-01-102000-05-16Fujitsu LimitedMobile communication method, and mobile telephone switching station customer management system, and mobile unit for implementing the same
US6144849A (en)1998-02-232000-11-07Adc Newnet, Inc.Method and apparatus for over-the-air service provisioning of a mobile telephone
US6314283B1 (en)1999-04-282001-11-06Nec America, Inc.Cellular phone subsidy lock
US20020009199A1 (en)*2000-06-302002-01-24Juha Ala-LaurilaArranging data ciphering in a wireless telecommunication system
US6381454B1 (en)1995-10-102002-04-30Qualcomm IncorporatedMethod and system for over-the-air (OTA) service programming
US6445914B1 (en)1999-09-082002-09-03Ericsson, Inc.Method to perform subsidy protection for TDMA mobile stations
US6480710B1 (en)1998-07-162002-11-12Telemac CorporationSystem and method for managing prepaid wireless service
US6484022B1 (en)1999-09-072002-11-19Ericsson Inc.Wireless communications device having externally controlled transmission of identity
US6549770B1 (en)2000-05-262003-04-15Cellco PartnershipOver the air programming and/or service activation
US20030226030A1 (en)2002-05-302003-12-04Leon HurstSecure content activation during manufacture of mobile communication devices
US20040116109A1 (en)2002-12-162004-06-17Gibbs Benjamin K.Automatic wireless device configuration
US20050079863A1 (en)2003-10-082005-04-14Macaluso Anthony G.Over the air provisioning of mobile device settings
US6980660B1 (en)1999-05-212005-12-27International Business Machines CorporationMethod and apparatus for efficiently initializing mobile wireless devices
US20060009217A1 (en)2004-06-282006-01-12Christoffer LundenSystem and method for product registration and activation
US20060030315A1 (en)2004-08-062006-02-09Christopher SmithMethod and system for provisioning wireless services using SIM information
US7006831B2 (en)2002-09-272006-02-28Bellsouth Intellectual Property CorporationApparatus and method for providing dynamic communications network traffic control
EP1645931A1 (en)2004-10-112006-04-12Telefonaktiebolaget LM Ericsson (publ)Secure loading and storing of data in a data processing device
US7035630B2 (en)2003-09-162006-04-25Research In Motion LimitedDemand-based provisioning for a mobile communication device
US20060165060A1 (en)2005-01-212006-07-27Robin DuaMethod and apparatus for managing credentials through a wireless network
US20060196931A1 (en)2005-03-072006-09-07Nokia CorporationMethods, system and mobile device capable of enabling credit card personalization using a wireless network
US20060217111A1 (en)2005-02-112006-09-28Sunil MaroliaNetwork for customer care and distribution of firmware and software updates
US20070047707A1 (en)2005-08-262007-03-01Net2Phone, Inc.IP-enhanced cellular services
US20070056042A1 (en)2005-09-082007-03-08Bahman QawamiMobile memory system for secure storage and delivery of media content
US7200390B1 (en)2004-12-302007-04-03Cellco PartnershipDevice software update transport and download
US20070099599A1 (en)2005-10-272007-05-03Christopher SmithMethod and system for provisioning wireless services
US20070100652A1 (en)*2005-11-012007-05-03Jorey RamerMobile pay per call
US20070112676A1 (en)2001-07-062007-05-17Nokia CorporationDigital rights management in a mobile communications environment
US20070129057A1 (en)2005-12-062007-06-07Chuan XuService provider subsidy lock

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US6943425B2 (en)*2004-01-232005-09-13Intevac, Inc.Wavelength extension for backthinned silicon image arrays

Patent Citations (39)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US6064879A (en)1994-01-102000-05-16Fujitsu LimitedMobile communication method, and mobile telephone switching station customer management system, and mobile unit for implementing the same
US5600708A (en)1995-08-041997-02-04Nokia Mobile Phones LimitedOver the air locking of user identity modules for mobile telephones
US6546243B2 (en)1995-10-102003-04-08Qualcomm, IncorporatedMethod and system for over-the-air (OTA) service programming
US20020094808A1 (en)1995-10-102002-07-18Tiedemann Edward G.Method and system for over-the-air (OTA) service programming
US6381454B1 (en)1995-10-102002-04-30Qualcomm IncorporatedMethod and system for over-the-air (OTA) service programming
US6490445B1 (en)1995-12-062002-12-03At&T Wireless Services, Inc.Customer activation system for cellular network
EP0778716A2 (en)1995-12-061997-06-11AT&T Wireless Services, Inc.Customer activation system for cellular network
US6725033B2 (en)1995-12-062004-04-20At&T Wireless Services, Inc.Customer activation system for cellular network
US6014561A (en)*1996-05-062000-01-11Ericsson Inc.Method and apparatus for over the air activation of a multiple mode/band radio telephone handset
US5943425A (en)1996-05-101999-08-24Lucent Technologies, Inc.Re-authentication procedure for over-the-air activation
EP0820206A2 (en)1996-07-151998-01-21AT&T Wireless Services, Inc.System and method for automatic registration notification for over-the-air activation
US5956636A (en)1996-07-161999-09-21At&T Wireless Services Inc.Method and system for automatic activation of a wireless device
US6529729B1 (en)1998-02-232003-03-04Ulysses Holdings, LlcMethod and apparatus for over-the-air service provisioning of a mobile telephone
US6144849A (en)1998-02-232000-11-07Adc Newnet, Inc.Method and apparatus for over-the-air service provisioning of a mobile telephone
US6480710B1 (en)1998-07-162002-11-12Telemac CorporationSystem and method for managing prepaid wireless service
US6314283B1 (en)1999-04-282001-11-06Nec America, Inc.Cellular phone subsidy lock
US6980660B1 (en)1999-05-212005-12-27International Business Machines CorporationMethod and apparatus for efficiently initializing mobile wireless devices
US6484022B1 (en)1999-09-072002-11-19Ericsson Inc.Wireless communications device having externally controlled transmission of identity
US6445914B1 (en)1999-09-082002-09-03Ericsson, Inc.Method to perform subsidy protection for TDMA mobile stations
US6549770B1 (en)2000-05-262003-04-15Cellco PartnershipOver the air programming and/or service activation
US20020009199A1 (en)*2000-06-302002-01-24Juha Ala-LaurilaArranging data ciphering in a wireless telecommunication system
US20070112676A1 (en)2001-07-062007-05-17Nokia CorporationDigital rights management in a mobile communications environment
US20030226030A1 (en)2002-05-302003-12-04Leon HurstSecure content activation during manufacture of mobile communication devices
US7006831B2 (en)2002-09-272006-02-28Bellsouth Intellectual Property CorporationApparatus and method for providing dynamic communications network traffic control
US20040116109A1 (en)2002-12-162004-06-17Gibbs Benjamin K.Automatic wireless device configuration
US7035630B2 (en)2003-09-162006-04-25Research In Motion LimitedDemand-based provisioning for a mobile communication device
US20050079863A1 (en)2003-10-082005-04-14Macaluso Anthony G.Over the air provisioning of mobile device settings
US20060009217A1 (en)2004-06-282006-01-12Christoffer LundenSystem and method for product registration and activation
US20060030315A1 (en)2004-08-062006-02-09Christopher SmithMethod and system for provisioning wireless services using SIM information
EP1645931A1 (en)2004-10-112006-04-12Telefonaktiebolaget LM Ericsson (publ)Secure loading and storing of data in a data processing device
US7200390B1 (en)2004-12-302007-04-03Cellco PartnershipDevice software update transport and download
US20060165060A1 (en)2005-01-212006-07-27Robin DuaMethod and apparatus for managing credentials through a wireless network
US20060217111A1 (en)2005-02-112006-09-28Sunil MaroliaNetwork for customer care and distribution of firmware and software updates
US20060196931A1 (en)2005-03-072006-09-07Nokia CorporationMethods, system and mobile device capable of enabling credit card personalization using a wireless network
US20070047707A1 (en)2005-08-262007-03-01Net2Phone, Inc.IP-enhanced cellular services
US20070056042A1 (en)2005-09-082007-03-08Bahman QawamiMobile memory system for secure storage and delivery of media content
US20070099599A1 (en)2005-10-272007-05-03Christopher SmithMethod and system for provisioning wireless services
US20070100652A1 (en)*2005-11-012007-05-03Jorey RamerMobile pay per call
US20070129057A1 (en)2005-12-062007-06-07Chuan XuService provider subsidy lock

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
3GPP TS 24.008, V7.0.0 (Jun. 2005). 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Mobile radio interface Layer 3 specification; Core network protocols; Stage 3 (Release 7).
Alves, T. et al. "TrustZone: Integrated Hardware and Software Security." White Paper, ARM. Available at http://www.arm.com/pdfs/TZ-Whitepaper.pdf.
Alves, T. et al. "TrustZone: Integrated Hardware and Software Security." White Paper, ARM. Available at http://www.arm.com/pdfs/TZ—Whitepaper.pdf.
Co-pending U.S. Appl. No. 60/913,089, filed Apr. 20, 2007.
Niemi, V. et al. UMTS Security. Wiley, Jan. 2004. pp. 63-71. ISBN: 978-0-470-84794-7.
TCG Mobile Trusted Module Specification. Specification version 0.9, Revision 1, Sep. 12, 2006. TCG 2006. Available at www.trustedcomputinggroup.org.

Cited By (12)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US8285993B1 (en)*2006-09-292012-10-09Netapp, Inc.System and method for establishing a shared secret among nodes of a security appliance
US9203620B1 (en)*2008-01-282015-12-01Emc CorporationSystem, method and apparatus for secure use of cryptographic credentials in mobile devices
US9924366B2 (en)2009-03-062018-03-20Interdigital Patent Holdings, Inc.Platform validation and management of wireless devices
US20120278869A1 (en)*2009-10-152012-11-01Interdigital Patent Holdings, Inc.Registration and credential roll-out for accessing a subscription-based service
US9203846B2 (en)*2009-10-152015-12-01Interdigital Patent Holdings, Inc.Registration and credential roll-out for accessing a subscription-based service
US9391981B2 (en)2009-10-152016-07-12Interdigital Patent Holdings, Inc.Registration and credential roll-out for accessing a subscription-based service
US9652320B2 (en)2010-11-052017-05-16Interdigital Patent Holdings, Inc.Device validation, distress indication, and remediation
US20120260086A1 (en)*2011-04-052012-10-11Haggerty David TApparatus and methods for distributing and storing electronic access clients
US8707022B2 (en)*2011-04-052014-04-22Apple Inc.Apparatus and methods for distributing and storing electronic access clients
US20140298018A1 (en)*2011-04-052014-10-02Apple Inc.Apparatus and methods for distributing and storing electronic access clients
US9438600B2 (en)*2011-04-052016-09-06Apple Inc.Apparatus and methods for distributing and storing electronic access clients
US9191818B2 (en)2011-06-082015-11-17Giesecke & Devrient GmbhMethods and devices for OTA management of subscriber identity modules

Also Published As

Publication numberPublication date
TW200910899A (en)2009-03-01
TWI437867B (en)2014-05-11
CA2684657A1 (en)2008-10-30
CA2684657C (en)2015-08-11
JP5074578B2 (en)2012-11-14
ES2368683T3 (en)2011-11-21
CN101690287B (en)2013-02-27
US20080260149A1 (en)2008-10-23
WO2008128873A1 (en)2008-10-30
EP2140717B1 (en)2011-08-03
ATE519340T1 (en)2011-08-15
EP2140717A1 (en)2010-01-06
CN101690287A (en)2010-03-31
JP2010527522A (en)2010-08-12

Similar Documents

PublicationPublication DateTitle
US8064597B2 (en)Method and system for mobile device credentialing
US9788209B2 (en)Apparatus and methods for controlling distribution of electronic access clients
CN107005836B (en)Subscriber identity module pooling
EP2255507B1 (en)A system and method for securely issuing subscription credentials to communication devices
US9332575B2 (en)Method and apparatus for enabling connectivity in a communication network
US20090191857A1 (en)Universal subscriber identity module provisioning for machine-to-machine communications
US20110269423A1 (en)Wireless network authentication apparatus and methods
US9537663B2 (en)Manipulation and restoration of authentication challenge parameters in network authentication procedures
US7885640B2 (en)Authentication in communication networks
KR101443161B1 (en)Method for provisioning profile of embedded universal integrated circuit card using capability information and mobile terminal thereof
US8887310B2 (en)Secure consumer programming device
GB2611739A (en)System, module, circuitry and method
CN101711030A (en)System and method for realizing authentication in communication system

Legal Events

DateCodeTitleDescription
ASAssignment

Owner name:TELEFONAKTIEBOLAGET LM ERICSSON (PUBL), SWEDEN

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GEHRMANN, CHRISTIAN;REEL/FRAME:020400/0345

Effective date:20071216

STCFInformation on status: patent grant

Free format text:PATENTED CASE

CCCertificate of correction
FPAYFee payment

Year of fee payment:4

MAFPMaintenance fee payment

Free format text:PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment:8

MAFPMaintenance fee payment

Free format text:PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment:12
[8]ページ先頭
©2009-2025 Movatter.jp